Transplant of rev 544b654d000c: directory traversal attack in CGIHttpRequestHandler.

b3acaccf · Georg Brandl · 85b8be1a · b3acaccf · b3acaccf · b3acaccf
Commit b3acaccf authored Nov 11, 2013 by Georg Brandl
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 5 deletions

Lib/http/server.py Lib/http/server.py +4 -5

Lib/test/test_httpservers.py Lib/test/test_httpservers.py +12 -0

Misc/NEWS Misc/NEWS +5 -0

No files found.
--- a/Lib/http/server.py
+++ b/Lib/http/server.py
@@ -987,18 +987,17 @@ class CGIHTTPRequestHandler(SimpleHTTPRequestHandler):
    def run_cgi(self):
        """Execute a CGI script."""
-        path = self.path
        dir, rest = self.cgi_info
-        i = path.find('/', len(dir) + 1)
+        i = rest.find('/')
        while i >= 0:
-            nextdir = path[:i]
+            nextdir = rest[:i]
-            nextrest = path[i+1:]
+            nextrest = rest[i+1:]
            scriptdir = self.translate_path(nextdir)
            if os.path.isdir(scriptdir):
                dir, rest = nextdir, nextrest
-                i = path.find('/', len(dir) + 1)
+                i = rest.find('/')
            else:
                break

--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@@ -325,6 +325,7 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.parent_dir = tempfile.mkdtemp()
        self.cgi_dir = os.path.join(self.parent_dir, 'cgi-bin')
        os.mkdir(self.cgi_dir)
+        self.nocgi_path = None
        self.file1_path = None
        self.file2_path = None
@@ -345,6 +346,11 @@ class CGIHTTPServerTestCase(BaseTestCase):
            self.tearDown()
            self.skipTest("Python executable path is not encodable to utf-8")
+        self.nocgi_path = os.path.join(self.parent_dir, 'nocgi.py')
+        with open(self.nocgi_path, 'w') as fp:
+            fp.write(cgi_file1 % self.pythonexe)
+        os.chmod(self.nocgi_path, 0o777)
        self.file1_path = os.path.join(self.cgi_dir, 'file1.py')
        with open(self.file1_path, 'w', encoding='utf-8') as file1:
            file1.write(cgi_file1 % self.pythonexe)
@@ -362,6 +368,8 @@ class CGIHTTPServerTestCase(BaseTestCase):
            os.chdir(self.cwd)
            if self.pythonexe != sys.executable:
                os.remove(self.pythonexe)
+            if self.nocgi_path:
+                os.remove(self.nocgi_path)
            if self.file1_path:
                os.remove(self.file1_path)
            if self.file2_path:
@@ -418,6 +426,10 @@ class CGIHTTPServerTestCase(BaseTestCase):
        self.assertEqual((b'Hello World' + self.linesep, 'text/html', 200),
            (res.read(), res.getheader('Content-type'), res.status))
+    def test_issue19435(self):
+        res = self.request('///////////nocgi.py/../cgi-bin/nothere.sh')
+        self.assertEqual(res.status, 404)
    def test_post(self):
        params = urllib.parse.urlencode(
            {'spam' : 1, 'eggs' : 'python', 'bacon' : 123456})

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -7,6 +7,11 @@ What's New in Python 3.3.3?
 *Release date: XX-Nov-2013*
+Library
+-------
+- Issue #19435: Fix directory traversal attack on CGIHttpRequestHandler.
 Tests
 -----